Re: virus recipe for MyDoom
2004-01-30 19:01:42
At 12:09 2004-01-30 -0700, LuKreme wrote:
On 27 Jan 2004, at 08:37, Dallman Ross wrote:
Why don't users have standard commercial anti-virus programs in place on
their workstations?
Most of them do. But of course, by the time a virus is identified and the
anti-virus software is updated and people update their anti-virus... well,
but then it is too late for many many people.
Too late for the people moronic or uninformed enough to:
* use mail agents known to have frequent security problems
(the aptly named MS OutBreak comes to mind)
* use web browsers which have a new, critically serious vulnerability
discovered every couple of weeks or so (MS claims they can't
release fixes for the current version browsers until they've
regression tested the same fixes for older browsers, but I
don't rightly recall them releasing updates for MSIE4 and
MSIE5
anyway, since their "fix" is invariably to require you to
install their latest and greatest). MS still doesn't have a
fix for the forged URL problem, and there's already a forged
file extension vulnerability. Combine the two, and anyone
running MSIE is in serious trouble.
* open and run attachents just for the hell of it.
As a rule, if I didn't _REQUEST_ an attachment, or it's not obviously part
of an exhange I'm having with someone (and well, I don't use email for file
exchanges anyway), I don't open it. No how, no way. For ZIP files, which
I've always regarded as the safe way to pass executable files between
parties (which is why I've got no qualms with ditching ALL executable files
in a global filter on my mailserver), I don't run any ZIP software that
auto-executes files, and I'd still need to be EXPECTING something from someone.
PGP signing remains the best option for sending messages with program
attachments. If the message doesn't carry a valid signature, then it's trash.
Curiously, despite having been active in BBS systems, downloading shareware
software by the bucketload for years, as well as being on this internet
thang for over a decade, I've _NEVER_ had a virus infection on any of my
systems, and I run quite a few. NEVER, as in NONE, not even once. I've
got an isolated system I use for testing things and it's been infected a
few times, but that's one of it's roles - to act as a digital petri dish:
its various OS loads are burned on CD and restored after tests have been
run, so it's frequently refreshed. It permits me to examine (when I want
or need to), the filesystem interraction of a virus, or the network
signature produced by one. This can be quite handy when you're pulling
someone elses's ass out of a fire, because in a controlled environment,
it's much easier to get a snapshot of before and after, which in turn makes
it easier to roll on over to another system and fix things, even before the
specifics of a virus have become known. Or, when the characteristics of a
virus make it difficult to install A/V software on the already-infected
machine (we're talking Windowze here of course).
FTR, I don't run an A/V program (not an automated one - I do have A/V stuff
on the network to scan filesets, but it isn't something that is "installed"
or running all the time). I used to ages ago, but found they caused too
many problems (at the time, largely performance related, but nowadays, it's
a combination of performance, compatibility, and false security), and, as
noted, you've got to constantly be on top of the definition updates, and
even if you are religious about them, they only get updated *AFTER* A/V
firms have had an opportunity to review viruses from the wild and develop
definitions and disinfection routines for them. How many people get hit by
a new virus before the A/V firms have had an opportunity to react?
Once you accept that an A/V program provides a false security, and accept
that you have to take responsibility for what you run, you're much better off.
Bottom line: a proactive and relatively generic approach will serve you
much better than trusting in any A/V program can. The problem is the
careless mentality of so many users. These would be the same morons who
cleartext virtually everyone in their addressbook (many of whom don't know
one another) to send a personal message, which results in every one of
those peoples addresses appearing in other people's inboxes, to be
harvested by viruses.
These same idiots are the type of people who think "I installed an A/V
program on my computer three years ago [and haven't done ANYTHING to update
it since], so I must be safe."
Possibly many felt quite secure running their Norton and opening the
MyDooom file the first couple of days.
Personally, i am ambivalent to some small degree about mydoom. On the one
hand it's a trojan and it screws up my bandwidth and is BAD. On the other
hand, it infects MS malware to attack SCO, and that's kinda GOOD.
No, it's bad all around. SCO doesn't have a legal leg to stand on, and
when/if they ever manage to get to court with their BS, it'll go down in
flames on the (dis-)merit of their case. No need to royally screw the
entire internet.
The DoS is pretty stupid too - so, SCO knows their network is going to be
abused, and when. Guess what? Reach into those deep pockets (or those of
Uncle Gates, who owns a 25% share, just in case anyone wonders about the
origins of this push for action against Linux), and set up proxy web
servers, plus an alternate IP network. Proxy servers issue a redirect (an
action which takes very little processing overhead, and can certainly be
distributed among many hosts) for all the web requests, possibly after
first probing the connecting system for legitimacy. If the connecting
system is suspect, then they dynamically add it to a firewall (whose rules
get expired say after 12 hours). Sure, there's still a network headache,
but it hardly brings the organization to its knees.
And besides, who all bothers to visit the SCO website anyway? I suspect
that saturating the SCO network in a DoS would only serve to reduce their
performance of playing Quake or somesuch between campuses.
Remember: malware has no legitimate purpose. It causes problems for all
sorts of people, even the ones who aren't running the target software
(surely CodeRed and Nimda ring bells for people operating webservers - unix
webservers weren't subject to the bug they were exploiting, but that didn't
mean the viruses weren't trying their best to hammer them). FTR, my
response to CodeRed (and II) as well as Nimda was to produce a script which
the server redirects all .DLL and similar requests to, and that script
sorts out what type of virus is making the request, then performs whois and
netblock lookups and sends an infection report to the provider responsible
for the infected host. The source IP gets added to a cache and
subsequently ignored (reducing server load, but also avoiding repeat
notifications) for 24 hours, at which time it expires from the cache, and
can once again visit the site (possibly legitimatley, or to invoke the
warning mechanism again).
This isn't rocket science.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: virus recipe for MyDoom, (continued)
- Re: Re[2]: virus recipe for MyDoom, LuKreme
- Re: virus recipe for MyDoom, procmail
- Re: virus recipe for MyDoom, Michelle Konzack
- Re: virus recipe for MyDoom, Alan Clifford
- Message not available
- Re: virus recipe for MyDoom, John Oliver
- Re: virus recipe for MyDoom, LuKreme
- Re: virus recipe for MyDoom,
Professional Software Engineering <=
- Re: virus recipe for MyDoom, LuKreme
- Re: virus recipe for MyDoom, Professional Software Engineering
Re: virus recipe for MyDoom, John Conover
Re: virus recipe for MyDoom, Bart Schaefer
|
|
|